Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    EU Fines Google $5 Billion for Breaching Antitrust Rules in Android

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Photo

MBR Rootkit?

Started by ucez , Dec 26 2009 04:42 PM

  • Please log in to reply
56 replies to this topic

#1 ucez

ucez

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 26 December 2009 - 04:42 PM

Both IE and Firefox grinding to a halt. When trying to logon to ebay, redirects to a ebay spam site asking for personal info. I haven't been able to find the virus, but noted that the rootrepeal log found an mbr rootkit. Logs below. Thanks in advance.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 16:21:38.20 on Sat 12/26/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_17

============== Running Processes ===============

C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\SYSTEM32\starter.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\Administrator.EF.001\Desktop\dds.scr
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\system32\svchost.exe -k wugroup

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [EnsoniqMixer] c:\winnt\system32\starter.exe
mRun: [Promon.exe] Promon.exe
mRun: [AtiPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [EPSON Stylus Photo R200 Series] c:\winnt\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [WbLogon] c:\progra~1\smartm~1\WbLogon.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email01.secureserver.net/Download.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.001\applic~1\mozilla\firefox\profiles\tgadn0gz.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-12-26 20:44:54 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_63c.dat
2009-12-26 20:43:51 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_37c.dat
2009-12-26 20:07:35 77312 ----a-w- c:\winnt\MBR.exe
2009-12-26 20:07:28 261632 ----a-w- c:\winnt\PEV.exe
2009-12-26 20:07:14 0 d-----w- C:\ComboFix
2009-12-26 20:04:31 236816 ----a-w- c:\winnt\system32\CF22548.exe
2009-12-26 20:04:31 236816 ----a-w- c:\winnt\system32\CF22542.exe
2009-12-24 13:45:39 0 d-----w- c:\docume~1\admini~1.001\applic~1\Malwarebytes
2009-12-24 13:43:47 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-12-24 13:43:43 0 d-----w- c:\docume~1\alluse~2.win\applic~1\Malwarebytes
2009-12-24 13:43:40 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-12-24 13:43:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 12:25:26 73728 ----a-w- c:\winnt\system32\javacpl.cpl

==================== Find3M ====================

2009-10-27 17:54:22 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-10-16 20:13:32 1227264 ----a-w- c:\winnt\system32\quartz.dll
2009-10-13 11:17:16 64784 ----a-w- c:\winnt\system32\mswsock.dll
2009-10-11 09:17:27 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-10-09 06:21:10 61200 ----a-w- c:\winnt\system32\RASCHAP.DLL
2009-10-09 06:21:10 101136 ----a-w- c:\winnt\system32\rastls.dll
2009-10-08 13:54:56 417552 ----a-w- c:\winnt\system32\oakley.dll
2004-12-30 22:40:48 5973039 ----a-w- c:\program files\Uninst.isu
2004-12-30 22:40:02 63 ----a-w- c:\program files\_UNODBC.LOG
2004-09-11 01:48:56 271 ---h--w- c:\program files\desktop.ini
2004-09-11 01:48:56 21952 ---h--w- c:\program files\folder.htt
2001-11-06 18:19:58 36864 ----a-w- c:\program files\comuninst32.exe
2000-11-17 15:10:46 54272 ----a-w- c:\program files\isauninst32.dll
1999-12-07 12:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys
1999-08-12 10:20:00 34816 ----a-w- c:\program files\Patch.exe
1999-08-12 10:20:00 171520 ----a-w- c:\program files\PATCHW32.DLL

============= FINISH: 16:23:14.29 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: 12/26/2009 10:42:46 AM (6 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | 8IRXP

==== Installed Programs ======================

Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 8.1.3
All-Pro Software StatTrak for Volleyball 6.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Client Activator 2.0 - English (2)
Client Activator 2.0 - English (All)
Creative PCI Audio Drivers
Data Converter
EPSON CardMonitor
EPSON Printer Software
Finding Nemo UWF
Free DWG Viewer 6.3
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
Huffyuv AVI lossless video codec (Remove Only)
Intel Application Accelerator
Intel® PRO Ethernet Adapter and Software
Internet Explorer Q903235
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 17
Java™ SE Runtime Environment 6 Update 1
Lets Ride Corral Club
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 1.1 Security Update (KB971108)
Microsoft .NET Framework 2.0
Microsoft AntiSpyware
Microsoft Money 2006
Microsoft Office 2000 SR-1 Premium
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
QuickBooks Pro Edition 2004
Quicken 2007
QuickTime
Recover Files 2.0
Remove DivX Pro Codec
Samsung ML-1740 Series
Scanner
Security Update for DirectX 9 (KB951698)
Security Update for DirectX 9.0 (KB971633)
Security Update for DirectX 9.0 (KB976138)
Security Update for DirectX 9.0b (KB961373)
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Microsoft .NET Framework 2.0 (KB947746)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 6.4 (KB954600)
Security Update for Windows Media Player 6.4 (KB974112)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Media Player 9 (KB973540)
Sentinel System Driver
Shareaza 2.4.0.0
Sony USB Driver
TaxCut 2004
TurboTax Deluxe 2005
TurboTax ItsDeductible 2005
Update Rollup 1 for Windows 2000 SP4
Verizon Broadband Toolbar
WebFldrs
WexTech AnswerWorks
Winamp (remove only)
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB887797
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB922760
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923561
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938464
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB945553
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950974
Windows 2000 Hotfix - KB951066
Windows 2000 Hotfix - KB951748
Windows 2000 Hotfix - KB951748-V2
Windows 2000 Hotfix - KB952004
Windows 2000 Hotfix - KB952954
Windows 2000 Hotfix - KB954211
Windows 2000 Hotfix - KB955069
Windows 2000 Hotfix - KB955759
Windows 2000 Hotfix - KB956391
Windows 2000 Hotfix - KB956802
Windows 2000 Hotfix - KB956844
Windows 2000 Hotfix - KB957095
Windows 2000 Hotfix - KB957097
Windows 2000 Hotfix - KB958215
Windows 2000 Hotfix - KB958470
Windows 2000 Hotfix - KB958644
Windows 2000 Hotfix - KB958687
Windows 2000 Hotfix - KB958690
Windows 2000 Hotfix - KB958869
Windows 2000 Hotfix - KB959426
Windows 2000 Hotfix - KB960225
Windows 2000 Hotfix - KB960714
Windows 2000 Hotfix - KB960715
Windows 2000 Hotfix - KB960803
Windows 2000 Hotfix - KB960859
Windows 2000 Hotfix - KB961371-V2
Windows 2000 Hotfix - KB961501
Windows 2000 Hotfix - KB963027
Windows 2000 Hotfix - KB967715
Windows 2000 Hotfix - KB968537
Windows 2000 Hotfix - KB969059
Windows 2000 Hotfix - KB969897
Windows 2000 Hotfix - KB969898
Windows 2000 Hotfix - KB969947
Windows 2000 Hotfix - KB970238
Windows 2000 Hotfix - KB971486
Windows 2000 Hotfix - KB971557
Windows 2000 Hotfix - KB971961
Windows 2000 Hotfix - KB972260
Windows 2000 Hotfix - KB973346
Windows 2000 Hotfix - KB973354
Windows 2000 Hotfix - KB973507
Windows 2000 Hotfix - KB973525
Windows 2000 Hotfix - KB973869
Windows 2000 Hotfix - KB973904
Windows 2000 Hotfix - KB974318
Windows 2000 Hotfix - KB974392
Windows 2000 Hotfix - KB974455
Windows 2000 Hotfix - KB974571
Windows 2000 Hotfix - KB976325
Windows 2000 Hotfix - KB976749
Windows 2000 Hotfix (SP5) Q818043
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
XviD Video Codec 27.11.2002-00:20 (uManiac's build)
Yahoo! Address AutoComplete
Yahoo! Internet Mail

==== End Of File ===========================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/26 16:24
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================

Drivers
-------------------
Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xEB430000 Size: 61440 File Visible: No Signed: -
Status: -

Name: dump_IdeChnDr.sys
Image Path: C:\WINNT\System32\Drivers\dump_IdeChnDr.sys
Address: 0xBD8FD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xBA2DB000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: c:\winnt\temp\mcmsc_donvax8ubgoyugw
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\winnt\temp\mcmsc_kgomcglxou3c0vz
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\winnt\temp\sqlite_4ag8so4agevtzve
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\winnt\temp\sqlite_vzye2w3bgxrbxsm
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\winnt\temp\sqlite_z3zu38u5ulws3wr
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\documents and settings\default user.winnt\application data\sacore\cache\da39a3ee5e6b4b0d3255bfef95601890afd80709\d4591e5af4bcd5fd285becc77a9efec85de556fc\d4591e5af4bcd5fd285becc77a9efec85de556fc\data.dat
Status: Allocation size mismatch (API: 40, Raw: 0)

SSDT
-------------------
ServiceTable Hooked [0x80480a20]!

#: 046 Function Name: NtCreateThread
Status: Hooked by "C:\WINNT\system32\drivers\wpsdrvnt.sys" at address 0xeb7e1c60

#: 093 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINNT\system32\drivers\wpsdrvnt.sys" at address 0xeb7e18f0

#: 217 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINNT\system32\drivers\wpsdrvnt.sys" at address 0xeb7e1e90

#: 224 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINNT\system32\drivers\wpsdrvnt.sys" at address 0xeb7e1e20

==EOF==

BC AdBot (Login to Remove)

 

#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:37 PM

Posted 26 December 2009 - 07:13 PM

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)



Posted Image GMER Rootkit Scanner - Download - Homepage
Why? Rootkits can generally be removed effectively, but they need to be removed before other malware can be cleaned, and they sometimes interfere with some of the tools we use. If you start a new topic, please include the GMER log as an initial check for the presence of rootkits:
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
Posted Image
Click the image to enlarge it
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
[*]Save the log where you can easily find it, such as your desktop.
[/list]**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 ucez

ucez
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 27 December 2009 - 07:53 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#4 ucez

ucez
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 27 December 2009 - 08:18 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-27 08:11:27
Windows 5.0.2195 Service Pack 4
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.001\LOCALS~1\Temp\fgldapow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xEB7E9C60]
SSDT \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xEB7E98F0]
SSDT \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xEB7E9E90]
SSDT \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xEB7E9E20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBD951777]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xBD95180B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBD95173B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xBD95181F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBD951833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xBD951897]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xBD951883]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xBD9518BF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBD9517F7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xBD951713]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xBD951727]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBD95178B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xBD9518FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xBD95186F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xBD95185B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xBD9518E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xBD9518D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xBD951763]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xBD95174F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xBD951847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xBD9518AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBD9517CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBD95179F]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\0000000b 81691768
Device \Driver\ACPI \Device\0000001a 81691768
Device \Driver\ACPI \Device\0000001b 81691768
Device \Driver\ACPI \Device\0000000e 81691768
Device \Driver\MPFP \Device\MPFP wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\ACPI \Device\0000000f 81691768
Device \Driver\ACPI \Device\0000001c 81691768

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\00000002 81691768
Device \Driver\ACPI \Device\00000010 81691768
Device \Driver\ACPI \Device\00000011 81691768
Device \Driver\ACPI \Device\00000012 81691768
Device \Driver\ACPI \Device\00000013 81691768
Device \Driver\ACPI \Device\00000006 81691768
Device \Driver\ACPI \Device\00000015 81691768
Device \Driver\ACPI \Device\00000016 81691768
Device \Driver\ACPI \Device\00000017 81691768
Device \Driver\ACPI \Device\00000018 81691768

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) [AUTO] Schedule <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:37 PM

Posted 27 December 2009 - 10:09 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#6 ucez

ucez
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 27 December 2009 - 11:52 AM

When running the comedian, I get the following error:

Posted Image

#7 ucez

ucez
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 27 December 2009 - 05:44 PM

ran combofix. also got a few error popups. restarted antivirus and firewall.


ComboFix 09-12-26.05 - Administrator 12/27/2009 16:08:53.5.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.197 [GMT -5:00]
Running from: c:\documents and settings\Administrator.EF.001\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-27 21:24 . 2009-12-27 21:24 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_600.dat
2009-12-27 21:21 . 2009-12-27 21:21 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_368.dat
2009-12-27 16:20 . 2009-12-27 16:23 -------- d-----w- c:\program files\ERUNT
2009-12-26 20:04 . 2009-12-26 20:04 236816 ----a-w- c:\winnt\system32\CF22548.exe
2009-12-26 20:04 . 2009-12-26 20:04 236816 ----a-w- c:\winnt\system32\CF22542.exe
2009-12-24 13:45 . 2009-12-24 13:45 -------- d-----w- c:\documents and settings\Administrator.EF.001\Application Data\Malwarebytes
2009-12-24 13:43 . 2009-12-03 21:14 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-12-24 13:43 . 2009-12-24 13:43 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes
2009-12-24 13:43 . 2009-12-03 21:13 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-12-24 13:43 . 2009-12-24 13:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 12:57 . 2009-12-20 12:57 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2009-12-20 12:52 . 2009-12-20 12:52 -------- d-----w- c:\documents and settings\HelpAssistant\Incomplete
2009-12-20 12:52 . 2009-12-20 12:52 -------- d-----w- c:\documents and settings\HelpAssistant\IGC
2009-12-20 12:52 . 2009-03-14 12:31 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 22:08 . 2005-01-13 22:49 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-12-27 12:43 . 2009-03-21 22:31 -------- d-----w- c:\documents and settings\Default User.WINNT\Application Data\SACore
2009-12-15 14:26 . 2006-08-18 00:52 -------- d-----w- c:\program files\Calendar Creator 7.0
2009-12-13 12:25 . 2003-12-17 01:02 -------- d---a-w- c:\program files\Java
2009-11-23 11:39 . 2008-04-04 16:18 -------- d-----w- c:\program files\Verizon
2009-11-23 11:34 . 2004-12-19 19:09 -------- d-----w- c:\program files\ixlaPSS
2009-11-23 11:31 . 2004-09-16 21:24 -------- d-----w- c:\program files\InterVideo
2009-11-23 11:31 . 2003-12-13 18:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-23 11:30 . 2004-01-06 04:20 -------- d---a-w- c:\program files\Common Files\InterVideo
2009-11-23 11:28 . 2007-07-05 12:28 -------- d-----w- c:\program files\Earobics Step 2 Home
2009-11-23 11:26 . 2006-11-05 14:50 -------- d-----w- c:\program files\BearShare
2009-11-22 15:59 . 2004-12-25 21:56 -------- d---a-w- c:\documents and settings\All Users.WINNT\Application Data\PferdeHof
2009-11-22 15:59 . 2004-10-10 17:40 -------- d-----w- c:\program files\SureThing
2009-11-21 17:22 . 2009-03-21 20:01 -------- d-----w- c:\program files\McAfee
2009-11-20 07:05 . 2009-11-20 07:05 288528 ----a-w- c:\winnt\AppPatch\aclayers.dll
2009-10-27 17:54 . 2009-10-27 17:54 576512 ------w- c:\winnt\system32\WININET.DLL
2009-10-16 20:13 . 2009-02-19 06:36 1227264 ----a-w- c:\winnt\system32\quartz.dll
2009-10-13 11:17 . 2009-10-13 11:17 64784 ------w- c:\winnt\system32\mswsock.dll
2009-10-11 09:17 . 2009-03-21 22:38 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-10-09 06:21 . 2009-10-09 06:21 61200 ----a-w- c:\winnt\system32\RASCHAP.DLL
2009-10-09 06:21 . 2009-10-09 06:21 101136 ----a-w- c:\winnt\system32\rastls.dll
2009-10-08 13:54 . 2009-10-08 13:54 417552 ----a-w- c:\winnt\system32\oakley.dll
2004-12-30 22:40 . 2004-12-30 22:33 5973039 ----a-w- c:\program files\Uninst.isu
2004-12-30 22:40 . 2004-12-30 22:40 63 ----a-w- c:\program files\_UNODBC.LOG
2004-09-11 01:48 . 2004-09-08 20:57 21952 ---h--w- c:\program files\folder.htt
2001-11-06 18:19 . 2004-12-30 22:33 36864 ----a-w- c:\program files\comuninst32.exe
2000-11-17 15:10 . 2004-12-30 22:34 54272 ----a-w- c:\program files\isauninst32.dll
1999-08-12 10:20 . 2004-12-30 22:33 34816 ----a-w- c:\program files\Patch.exe
1999-08-12 10:20 . 2004-12-30 22:33 171520 ----a-w- c:\program files\PATCHW32.DLL
.

------- Sigcheck -------

[-] 2002-11-26 23:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"EnsoniqMixer"="c:\winnt\SYSTEM32\starter.exe" [2000-08-10 32768]
"Promon.exe"="Promon.exe" [2000-04-13 29184]
"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-27 344064]
"EPSON Stylus Photo R200 Series"="c:\winnt\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2004-12-31 469824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-23 77824]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\Administrator.EF.001\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-12-18 82026]
EPSON CardMonitor.lnk - c:\program files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe [2005-6-6 258048]
QuickBooks Update Agent.lnk - c:\program files\common files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-1-22 724992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 PV8630;PV8631 WDM Device Driver;c:\winnt\system32\PV8630.sys [1998-08-10 119004]
R3 LVCam;Logitech USB Video Camera;c:\winnt\system32\DRIVERS\LVCam.sys [1999-12-07 88816]
R3 WBMS;Winbond Memory Stick Storage (MS) Device Driver;c:\winnt\system32\Drivers\WBMS.SYS [2002-09-26 29312]
R3 WBMSA;Winbond Memory Stick Storage (MS) Device Driver - A;c:\winnt\system32\Drivers\WBMSA.SYS [2001-08-22 24214]
R3 wbscr;Winbond Smartcard Reader for I/O;c:\winnt\system32\drivers\wbscr.sys [2002-04-24 19928]
R4 Ipfprnlo;Ipfprnlo; [x]
S0 fasttrak;fasttrak;c:\winnt\System32\DRIVERS\fasttrak.sys [2001-11-22 70528]
S0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2000-05-27 28224]
S1 as6eio;as6eio;c:\winnt\System32\drivers\as6eio.SYS [1997-12-09 3616]
S2 ADPTEHCD;%ADPT_USBEHCD.DeviceDesc%;c:\winnt\system32\DRIVERS\gbtehcd.sys [2001-11-19 34256]
S2 AUSBD_FilterService;AUSBD Filter Service;c:\winnt\system32\DRIVERS\gbtusbd.sys [2001-11-19 22288]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S3 ADPTHUBD;%ADPT_USBBHUBD.DeviceDesc%;c:\winnt\system32\DRIVERS\gusb2hub.sys [2001-11-19 24240]
S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\DRIVERS\openhci.sys [2003-06-19 24784]

.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email01.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\Administrator.EF.001\Application Data\Mozilla\Firefox\Profiles\tgadn0gz.default\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WbLogon - c:\progra~1\SMARTM~1\WbLogon.exe
AddRemove-XviD - c:\program files\XviD\UninstXviD.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 17:07
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
EnsoniqMixer = c:\winnt\SYSTEM32\starter.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81693188]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xeb422ac3
\Driver\ACPI -> 0x81693188
\Driver\atapi -> atapi.sys @ 0xbff70b5c
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x804c075e
ParseProcedure -> ntoskrnl.exe @ 0x804bf070
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x804c075e
ParseProcedure -> ntoskrnl.exe @ 0x804bf070
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(180)
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(2536)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\winnt\system32\SHDOCVW.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\System32\SCardSvr.exe
c:\winnt\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\system32\stisvc.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\winnt\system32\Ati2evxx.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\winnt\system32\Promon.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2009-12-27 17:23:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 22:23
ComboFix2.txt 2009-03-21 23:22
ComboFix3.txt 2009-03-21 23:01

Pre-Run: 35,864,203,264 bytes free
Post-Run: 35,809,386,496 bytes free

- - End Of File - - 0021D66B88B3CE95DF9400C80E884C9E

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:37 PM

Posted 28 December 2009 - 06:42 AM

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#9 ucez

ucez
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 28 December 2009 - 04:18 PM

16:09:07:968 2652 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
16:09:07:968 2652 ================================================================================
16:09:07:968 2652 SystemInfo:

16:09:07:968 2652 OS Version: 5.0.2195 ServicePack: 4.0
16:09:07:968 2652 Product type: Workstation
16:09:07:968 2652 ComputerName: EZBASE
16:09:07:968 2652 UserName: Administrator
16:09:07:968 2652 Windows directory: C:\WINNT
16:09:07:968 2652 Processor architecture: Intel x86
16:09:07:968 2652 Number of processors: 1
16:09:07:968 2652 Page size: 0x1000
16:09:07:968 2652 Boot type: Normal boot
16:09:07:968 2652 ================================================================================
16:09:08:031 2652 ForceUnloadDriver: NtUnloadDriver error 2
16:09:08:093 2652 ForceUnloadDriver: NtUnloadDriver error 2
16:09:08:093 2652 ForceUnloadDriver: NtUnloadDriver error 2
16:09:08:093 2652 MyNtCreateFileW: NtCreateFile(\??\C:\WINNT\system32\Drivers\KLMD.sys) returned status 0
16:09:08:203 2652 main: Driver KLMD successfully dropped
16:09:08:265 2652 main: Driver KLMD successfully loaded
16:09:08:265 2652
Scanning Registry ...
16:09:08:265 2652 ScanServices: Searching service UACd.sys
16:09:08:265 2652 ScanServices: Open/Create key error 2
16:09:08:265 2652 ScanServices: Searching service TDSSserv.sys
16:09:08:265 2652 ScanServices: Open/Create key error 2
16:09:08:265 2652 ScanServices: Searching service gaopdxserv.sys
16:09:08:265 2652 ScanServices: Open/Create key error 2
16:09:08:265 2652 ScanServices: Searching service gxvxcserv.sys
16:09:08:265 2652 ScanServices: Open/Create key error 2
16:09:08:265 2652 ScanServices: Searching service MSIVXserv.sys
16:09:08:265 2652 ScanServices: Open/Create key error 2
16:09:08:281 2652 UnhookRegistry: Kernel module file name: C:\winnt\system32\ntoskrnl.exe, base addr: 80400000
16:09:08:734 2652 UnhookRegistry: Kernel local addr: 900000
16:09:08:734 2652 UnhookRegistry: KeServiceDescriptorTable addr: 9808E0
16:09:08:781 2652 UnhookRegistry: KiServiceTable addr: 9721E8
16:09:08:781 2652 UnhookRegistry: NtEnumerateKey service number (local): 3C
16:09:08:781 2652 UnhookRegistry: NtEnumerateKey local addr: A1263E
16:09:08:796 2652 KLMD_OpenDevice: Trying to open KLMD device
16:09:08:796 2652 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
16:09:08:796 2652 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
16:09:08:796 2652 KLMD_ReadMem: Trying to ReadMemory 0x8042FC31[0x4]
16:09:08:796 2652 UnhookRegistry: NtEnumerateKey service number (kernel): 3C
16:09:08:796 2652 KLMD_ReadMem: Trying to ReadMemory 0x804722D8[0x4]
16:09:08:796 2652 UnhookRegistry: NtEnumerateKey real addr: 8051263E
16:09:08:796 2652 UnhookRegistry: NtEnumerateKey calc addr: 8051263E
16:09:08:796 2652 UnhookRegistry: No SDT hooks found on NtEnumerateKey
16:09:08:796 2652 KLMD_ReadMem: Trying to ReadMemory 0x8051263E[0xA]
16:09:08:796 2652 UnhookRegistry: Splicing found on NtEnumerateKey
16:09:08:796 2652 KLMD_WriteMem: Trying to WriteMemory 0x8051263E[0xA]
16:09:08:796 2652 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully
16:09:08:796 2652
Scanning Kernel memory ...
16:09:08:796 2652 KLMD_OpenDevice: Trying to open KLMD device
16:09:08:796 2652 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
16:09:08:796 2652 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:09:08:796 2652 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82067D50
16:09:08:796 2652 DetectCureTDL3: KLMD_GetDeviceObjectList returned 8 DevObjects
16:09:08:796 2652 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 81AD73D0
16:09:08:796 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81AD73D0
16:09:08:796 2652 KLMD_ReadMem: Trying to ReadMemory 0x81AD73D0[0x38]
16:09:08:796 2652 DetectCureTDL3: DRIVER_OBJECT addr: 82067D50
16:09:08:796 2652 KLMD_ReadMem: Trying to ReadMemory 0x82067D50[0xA8]
16:09:08:796 2652 KLMD_ReadMem: Trying to ReadMemory 0xE1536FC8[0x208]
16:09:08:796 2652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:09:08:796 2652 DetectCureTDL3: IrpHandler (0) addr: EB42692C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (2) addr: EB42692C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (3) addr: EB420A7F
16:09:08:796 2652 DetectCureTDL3: IrpHandler (4) addr: EB420A7F
16:09:08:796 2652 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (9) addr: EB422A2F
16:09:08:796 2652 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (14) addr: EB422127
16:09:08:796 2652 DetectCureTDL3: IrpHandler (15) addr: EB422AC3
16:09:08:796 2652 DetectCureTDL3: IrpHandler (16) addr: EB422A2F
16:09:08:796 2652 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (22) addr: EB42345F
16:09:08:796 2652 DetectCureTDL3: IrpHandler (23) addr: EB4264FE
16:09:08:796 2652 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
16:09:08:796 2652 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
16:09:08:796 2652 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:09:08:796 2652 KLMD_ReadMem: DeviceIoControl error 1
16:09:08:796 2652 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:09:08:796 2652 TDL3_FileDetect: Processing driver: Disk
16:09:08:796 2652 TDL3_FileDetect: Parameters: C:\WINNT\system32\drivers\disk.sys, C:\WINNT\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
16:09:08:796 2652 TDL3_FileDetect: Processing driver file: C:\WINNT\system32\drivers\disk.sys
16:09:08:796 2652 KLMD_CreateFileW: Trying to open file C:\WINNT\system32\drivers\disk.sys
16:09:08:843 2652 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 81ADA9D0
16:09:08:843 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81ADA9D0
16:09:08:843 2652 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 81ADAED0
16:09:08:843 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81ADAED0
16:09:08:843 2652 KLMD_ReadMem: Trying to ReadMemory 0x81ADAED0[0x38]
16:09:08:843 2652 DetectCureTDL3: DRIVER_OBJECT addr: 81AFA3B0
16:09:08:843 2652 KLMD_ReadMem: Trying to ReadMemory 0x81AFA3B0[0xA8]
16:09:08:843 2652 KLMD_ReadMem: Trying to ReadMemory 0xE1522D08[0x208]
16:09:08:843 2652 16:09:08:843 2652 DetectCureTDL3: IrpHandler (0) addr: EB7845CE
16:09:08:843 2652 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
16:09:08:843 2652 DetectCureTDL3: IrpHandler (2) addr: EB7845CE
16:09:08:843 2652 DetectCureTDL3: IrpHandler (3) addr: EB7845E8
16:09:08:859 2652 DetectCureTDL3: IrpHandler (4) addr: EB7845E8
16:09:08:859 2652 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (9) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (14) addr: EB783B5E
16:09:08:859 2652 DetectCureTDL3: IrpHandler (15) addr: EB780468
16:09:08:859 2652 DetectCureTDL3: IrpHandler (16) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (22) addr: EB782048
16:09:08:859 2652 DetectCureTDL3: IrpHandler (23) addr: EB7821C2
16:09:08:859 2652 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0xEB780764[0x400]
16:09:08:859 2652 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
16:09:08:859 2652 16:09:08:859 2652 16:09:08:859 2652 16:09:08:859 2652 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 81AF6270
16:09:08:859 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81AF6270
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0x81AF6270[0x38]
16:09:08:859 2652 DetectCureTDL3: DRIVER_OBJECT addr: 82067D50
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0x82067D50[0xA8]
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0xE1536FC8[0x208]
16:09:08:859 2652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:09:08:859 2652 DetectCureTDL3: IrpHandler (0) addr: EB42692C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (2) addr: EB42692C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (3) addr: EB420A7F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (4) addr: EB420A7F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (9) addr: EB422A2F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (14) addr: EB422127
16:09:08:859 2652 DetectCureTDL3: IrpHandler (15) addr: EB422AC3
16:09:08:859 2652 DetectCureTDL3: IrpHandler (16) addr: EB422A2F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (22) addr: EB42345F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (23) addr: EB4264FE
16:09:08:859 2652 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:09:08:859 2652 KLMD_ReadMem: DeviceIoControl error 1
16:09:08:859 2652 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:09:08:859 2652 TDL3_FileDetect: Processing driver: Disk
16:09:08:859 2652 TDL3_FileDetect: Parameters: C:\WINNT\system32\drivers\disk.sys, C:\WINNT\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
16:09:08:859 2652 TDL3_FileDetect: Processing driver file: C:\WINNT\system32\drivers\disk.sys
16:09:08:859 2652 KLMD_CreateFileW: Trying to open file C:\WINNT\system32\drivers\disk.sys
16:09:08:859 2652 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 81AF5030
16:09:08:859 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81AF5030
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0x81AF5030[0x38]
16:09:08:859 2652 DetectCureTDL3: DRIVER_OBJECT addr: 82067D50
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0x82067D50[0xA8]
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0xE1536FC8[0x208]
16:09:08:859 2652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:09:08:859 2652 DetectCureTDL3: IrpHandler (0) addr: EB42692C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (2) addr: EB42692C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (3) addr: EB420A7F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (4) addr: EB420A7F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (9) addr: EB422A2F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (14) addr: EB422127
16:09:08:859 2652 DetectCureTDL3: IrpHandler (15) addr: EB422AC3
16:09:08:859 2652 DetectCureTDL3: IrpHandler (16) addr: EB422A2F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (22) addr: EB42345F
16:09:08:859 2652 DetectCureTDL3: IrpHandler (23) addr: EB4264FE
16:09:08:859 2652 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
16:09:08:859 2652 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
16:09:08:859 2652 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:09:08:859 2652 KLMD_ReadMem: DeviceIoControl error 1
16:09:08:859 2652 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:09:08:859 2652 TDL3_FileDetect: Processing driver: Disk
16:09:08:875 2652 TDL3_FileDetect: Parameters: C:\WINNT\system32\drivers\disk.sys, C:\WINNT\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
16:09:08:875 2652 TDL3_FileDetect: Processing driver file: C:\WINNT\system32\drivers\disk.sys
16:09:08:875 2652 KLMD_CreateFileW: Trying to open file C:\WINNT\system32\drivers\disk.sys
16:09:08:875 2652 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 81AF7B10
16:09:08:875 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81AF7B10
16:09:08:875 2652 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 81AF8550
16:09:08:875 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81AF8550
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0x81AF8550[0x38]
16:09:08:875 2652 DetectCureTDL3: DRIVER_OBJECT addr: 81AFA3B0
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0x81AFA3B0[0xA8]
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0xE1522D08[0x208]
16:09:08:875 2652 16:09:08:875 2652 DetectCureTDL3: IrpHandler (0) addr: EB7845CE
16:09:08:875 2652 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (2) addr: EB7845CE
16:09:08:875 2652 DetectCureTDL3: IrpHandler (3) addr: EB7845E8
16:09:08:875 2652 DetectCureTDL3: IrpHandler (4) addr: EB7845E8
16:09:08:875 2652 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (9) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (14) addr: EB783B5E
16:09:08:875 2652 DetectCureTDL3: IrpHandler (15) addr: EB780468
16:09:08:875 2652 DetectCureTDL3: IrpHandler (16) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (22) addr: EB782048
16:09:08:875 2652 DetectCureTDL3: IrpHandler (23) addr: EB7821C2
16:09:08:875 2652 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0xEB780764[0x400]
16:09:08:875 2652 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
16:09:08:875 2652 16:09:08:875 2652 16:09:08:875 2652 16:09:08:875 2652 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 81AF8030
16:09:08:875 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81AF8030
16:09:08:875 2652 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 81AF9850
16:09:08:875 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81AF9850
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0x81AF9850[0x38]
16:09:08:875 2652 DetectCureTDL3: DRIVER_OBJECT addr: 81AFA3B0
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0x81AFA3B0[0xA8]
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0xE1522D08[0x208]
16:09:08:875 2652 16:09:08:875 2652 DetectCureTDL3: IrpHandler (0) addr: EB7845CE
16:09:08:875 2652 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (2) addr: EB7845CE
16:09:08:875 2652 DetectCureTDL3: IrpHandler (3) addr: EB7845E8
16:09:08:875 2652 DetectCureTDL3: IrpHandler (4) addr: EB7845E8
16:09:08:875 2652 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (9) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (14) addr: EB783B5E
16:09:08:875 2652 DetectCureTDL3: IrpHandler (15) addr: EB780468
16:09:08:875 2652 DetectCureTDL3: IrpHandler (16) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (22) addr: EB782048
16:09:08:875 2652 DetectCureTDL3: IrpHandler (23) addr: EB7821C2
16:09:08:875 2652 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0xEB780764[0x400]
16:09:08:875 2652 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
16:09:08:875 2652 16:09:08:875 2652 16:09:08:875 2652 16:09:08:875 2652 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 82075C50
16:09:08:875 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82075C50
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0x82075C50[0x38]
16:09:08:875 2652 DetectCureTDL3: DRIVER_OBJECT addr: 82067D50
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0x82067D50[0xA8]
16:09:08:875 2652 KLMD_ReadMem: Trying to ReadMemory 0xE1536FC8[0x208]
16:09:08:875 2652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:09:08:875 2652 DetectCureTDL3: IrpHandler (0) addr: EB42692C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (2) addr: EB42692C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (3) addr: EB420A7F
16:09:08:875 2652 DetectCureTDL3: IrpHandler (4) addr: EB420A7F
16:09:08:875 2652 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (9) addr: EB422A2F
16:09:08:875 2652 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (14) addr: EB422127
16:09:08:875 2652 DetectCureTDL3: IrpHandler (15) addr: EB422AC3
16:09:08:875 2652 DetectCureTDL3: IrpHandler (16) addr: EB422A2F
16:09:08:875 2652 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
16:09:08:875 2652 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (22) addr: EB42345F
16:09:08:890 2652 DetectCureTDL3: IrpHandler (23) addr: EB4264FE
16:09:08:890 2652 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
16:09:08:890 2652 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:09:08:890 2652 KLMD_ReadMem: DeviceIoControl error 1
16:09:08:890 2652 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:09:08:890 2652 TDL3_FileDetect: Processing driver: Disk
16:09:08:890 2652 TDL3_FileDetect: Parameters: C:\WINNT\system32\drivers\disk.sys, C:\WINNT\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
16:09:08:890 2652 TDL3_FileDetect: Processing driver file: C:\WINNT\system32\drivers\disk.sys
16:09:08:890 2652 KLMD_CreateFileW: Trying to open file C:\WINNT\system32\drivers\disk.sys
16:09:08:890 2652 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 82067670
16:09:08:890 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82067670
16:09:08:890 2652 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 820696B0
16:09:08:890 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 820696B0
16:09:08:890 2652 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 820BA030
16:09:08:890 2652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 820BA030
16:09:08:890 2652 KLMD_ReadMem: Trying to ReadMemory 0x820BA030[0x38]
16:09:08:890 2652 DetectCureTDL3: DRIVER_OBJECT addr: 82069030
16:09:08:890 2652 KLMD_ReadMem: Trying to ReadMemory 0x82069030[0xA8]
16:09:08:890 2652 KLMD_ReadMem: Trying to ReadMemory 0xE152FF48[0x208]
16:09:08:890 2652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\IdeChnDr, Driver Name: IdeChnDr
16:09:08:890 2652 DetectCureTDL3: IrpHandler (0) addr: BFF817F0
16:09:08:890 2652 DetectCureTDL3: IrpHandler (1) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (2) addr: BFF817F0
16:09:08:890 2652 DetectCureTDL3: IrpHandler (3) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (4) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (5) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (6) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (7) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (8) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (9) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (10) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (11) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (12) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (13) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (14) addr: BFF84FF4
16:09:08:890 2652 DetectCureTDL3: IrpHandler (15) addr: BFF84C14
16:09:08:890 2652 DetectCureTDL3: IrpHandler (16) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (17) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (18) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (19) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (20) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (21) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (22) addr: BFF8186C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (23) addr: BFF86BE0
16:09:08:890 2652 DetectCureTDL3: IrpHandler (24) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (25) addr: 80423F1C
16:09:08:890 2652 DetectCureTDL3: IrpHandler (26) addr: 80423F1C
16:09:08:890 2652 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:09:08:890 2652 KLMD_ReadMem: DeviceIoControl error 1
16:09:08:890 2652 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:09:08:890 2652 TDL3_FileDetect: Processing driver: IdeChnDr
16:09:08:890 2652 TDL3_FileDetect: Parameters: C:\WINNT\system32\drivers\idechndr.sys, C:\WINNT\system32\Drivers\idechndr.tsk, SYSTEM\CurrentControlSet\Services\IdeChnDr, system32\Drivers\idechndr.tsk
16:09:08:890 2652 TDL3_FileDetect: Processing driver file: C:\WINNT\system32\drivers\idechndr.sys
16:09:08:890 2652 KLMD_CreateFileW: Trying to open file C:\WINNT\system32\drivers\idechndr.sys
16:09:08:921 2652
Completed

Results:
16:09:08:921 2652 Infected objects in memory: 0
16:09:08:921 2652 Cured objects in memory: 0
16:09:08:921 2652 Infected objects on disk: 0
16:09:08:921 2652 Objects on disk cured on reboot: 0
16:09:08:921 2652 Objects on disk deleted on reboot: 0
16:09:08:937 2652 Registry nodes deleted on reboot: 0
16:09:08:937 2652

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:37 PM

Posted 29 December 2009 - 07:04 AM

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
mspmsnsv.dll
comres.dll
CLASSPNP.SYS
atapi.sys
ntoskrnl.exe
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#11 ucez

ucez
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 29 December 2009 - 07:32 AM

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 07:04 on 29/12/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "mspmsnsv.dll"
C:\WINNT\system32\mspmsnsv.dll ------ 52224 bytes [04:05 11/09/2004] [23:03 26/11/2002] 36678803A8030EE9A771935CFC1848BD

Searching for "comres.dll"
No files found.

Searching for "CLASSPNP.SYS"
No files found.

Searching for "atapi.sys"
No files found.

Searching for "ntoskrnl.exe"
No files found.

-=End Of File=-

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:37 PM

Posted 29 December 2009 - 07:49 AM

Erm.. That's not right.. Something must have been interfere with SystemLook result :(

Lets do this..


Please download OTL by OldTimer and save it to your desktop.

Under the Custom Scans/Fixes box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

Don't change any setting... Just click on the Run Scan button.. Let it scan till finish..

Then a log will pop-up at your Desktop. Post the content of the log here

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#13 ucez

ucez
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 29 December 2009 - 08:34 AM

having problems with IE, hangs on 'detecting proxy settings', seems to resolve with log off/on, but had to download otl on another machine...

OTL logfile created on: 12/29/2009 8:13:56 AM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Administrator.EF.001\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 26.00 Mb Available Physical Memory | 5.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 50.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 33.33 Gb Free Space | 44.73% Space Free | Partition Type: NTFS
Drive D: | 124.57 Mb Total Space | 80.28 Mb Free Space | 64.45% Space Free | Partition Type: FAT
Drive E: | 996.20 Mb Total Space | 990.77 Mb Free Space | 99.45% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EZBASE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/29 08:18:08 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.EF.001\Desktop\OTL.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\program files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\program files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\program files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\program files\Java\jre6\bin\jqs.exe
PRC - [2009/10/02 12:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\program files\McAfee\MSK\msksrver.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\program files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\program files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\program files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 19:22:24 | 05,134,864 | ---- | M] (McAfee) -- C:\program files\McAfee\MBK\McAfeeDataBackup.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/07 22:30:22 | 00,192,128 | ---- | M] (McAfee, Inc.) -- C:\program files\McAfee\MSM\McSmtFwk.exe
PRC - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\program files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2007/09/28 13:30:53 | 00,507,392 | ---- | M] (Motive Communications, Inc.) -- C:\program files\Verizon\McciBrowser.exe
PRC - [2007/09/28 13:30:48 | 00,936,960 | ---- | M] (Motive Communications, Inc.) -- C:\program files\Verizon\McciTrayApp.exe
PRC - [2005/02/22 18:33:36 | 00,352,256 | ---- | M] (ATI Technologies Inc.) -- C:\WINNT\system32\ati2evxx.exe
PRC - [2004/12/31 13:14:34 | 00,748,352 | ---- | M] (Microsoft Corporation) -- C:\program files\Microsoft AntiSpyware\gcasDtServ.exe
PRC - [2004/10/26 21:10:00 | 00,344,064 | ---- | M] (ATI Technologies, Inc.) -- C:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2004/09/07 10:59:06 | 00,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
PRC - [2003/07/08 02:00:00 | 00,099,840 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINNT\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE
PRC - [2003/06/19 14:05:04 | 00,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/19 14:05:04 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/19 14:05:04 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2003/06/19 14:05:04 | 00,061,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\stisvc.exe
PRC - [2002/08/29 06:14:40 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\program files\internet explorer\IEXPLORE.EXE
PRC - [2001/10/11 16:35:00 | 00,082,026 | ---- | M] (Adobe Systems Inc.) -- C:\program files\Adobe\Acrobat 5.0\Distillr\acrotray.exe
PRC - [2000/08/09 22:58:46 | 00,032,768 | ---- | M] (Creative Technology, Ltd.) -- C:\WINNT\system32\starter.exe
PRC - [2000/04/13 16:34:18 | 00,029,184 | ---- | M] (Intel Corporation) -- C:\WINNT\system32\promon.exe


========== Modules (SafeList) ==========

MOD - [2009/12/29 08:18:08 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.EF.001\Desktop\OTL.exe
MOD - [2009/02/11 11:06:38 | 00,014,032 | ---- | M] () -- C:\program files\McAfee\SiteAdvisor\sahook.dll
MOD - [2003/06/19 14:05:04 | 00,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
MOD - [2003/06/19 14:05:04 | 00,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
MOD - [1999/12/07 07:00:00 | 00,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/12/23 20:35:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\program files\Mozilla Firefox\components [2009/12/24 13:58:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\program files\Mozilla Firefox\plugins [2009/12/22 07:23:05 | 00,000,000 | ---D | M]

[2009/02/09 18:19:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.EF.001\Application Data\Mozilla\Extensions
[2009/02/09 18:19:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.EF.001\Application Data\Mozilla\Firefox\Profiles\tgadn0gz.default\extensions
[2009/12/26 08:34:06 | 00,000,000 | ---D | M] -- C:\program files\Mozilla Firefox\extensions

O1 HOSTS File: (27 bytes) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\program files\common files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\program files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\program files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\program files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\program files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AtiPTA] C:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe (Creative Technology, Ltd.)
O4 - HKLM..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [gcasServ] C:\Program Files\Microsoft AntiSpyware\gcasServ.exe (Microsoft Corporation)
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\program files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Promon.exe] C:\WINNT\System32\promon.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINNT\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\program files\Verizon\McciTrayApp.exe (Motive Communications, Inc.)
O4 - Startup: C:\Documents and Settings\Administrator.EF.001\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\program files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\program files\Adobe\Acrobat 5.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\EPSON CardMonitor.lnk = C:\program files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\program files\common files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O12 - Plugin for: .mpeg - C:\program files\internet explorer\PLUGINS\npqtplugin3.dll (Apple Computer, Inc.)
O12 - Plugin for: .spop - C:\program files\internet explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email01.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.

#14 ucez

ucez
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
    •  
  • Local time:08:37 AM

Posted 29 December 2009 - 08:36 AM

otl 'extras' log.

OTL Extras logfile created on: 12/29/2009 8:13:56 AM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Administrator.EF.001\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 26.00 Mb Available Physical Memory | 5.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 50.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 33.33 Gb Free Space | 44.73% Space Free | Partition Type: NTFS
Drive D: | 124.57 Mb Total Space | 80.28 Mb Free Space | 64.45% Space Free | Partition Type: FAT
Drive E: | 996.20 Mb Total Space | 990.77 Mb Free Space | 99.45% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EZBASE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"5801:TCP" = 5801:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"5801:TCP" = 5801:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Premium
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0D2E80C8-0875-43EB-9623-47118E2DFBCA}" = Quicken 2007
"{109D28C7-FB38-483A-9C91-001CB59E2699}" = EPSON CardMonitor
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{2b02f822-a9b9-458c-80e5-3ea8c0de8471}" = QuickBooks Pro Edition 2004
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3E908702-AF35-4611-9518-955DA24B7E07}" = Microsoft XML Parser and SDK
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{536F7C74-844B-4683-B0C5-EA39E19A6FE3}" = Microsoft AntiSpyware
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{791CAF6C-90A3-11D4-8306-00D0B72E1DB9}" = Sentinel System Driver
"{9984DF60-1C5B-11D3-ACA1-908A4FC10801}" = Intel Application Accelerator
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3788444-0284-49F7-8416-3DC2670754B0}" = Data Converter
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}" = Free DWG Viewer 6.3
"{BCB8D603-985E-4765-B4AB-B4B991A535B7}" = Finding Nemo UWF
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DB299A0A-69B8-4DD2-BB76-A17CF14CE649}" = Lets Ride Corral Club
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"DivX Codec" = Remove DivX Pro Codec
"EPSON Printer and Utilities" = EPSON Printer Software
"ERUNT_is1" = ERUNT 1.1j
"HUFFYUV" = Huffyuv AVI lossless video codec (Remove Only)
"InstallShield_{A3788444-0284-49F7-8416-3DC2670754B0}" = Data Converter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Money2006b" = Microsoft Money 2006
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MSC" = McAfee SecurityCenter
"PROSet" = Intel® PRO Ethernet Adapter and Software
"Q818043" = Windows 2000 Hotfix (SP5) Q818043
"Q828026" = Windows Media Player Hotfix [See Q828026 for more information]
"Q903235" = Internet Explorer Q903235
"QuickTime" = QuickTime
"Rainbow Client Activator 2.0 English" = Client Activator 2.0 - English (2)
"Rainbow Client Activator 2.0 English All" = Client Activator 2.0 - English (All)
"Recover Files_is1" = Recover Files 2.0
"Samsung ML-1740 Series" = Samsung ML-1740 Series
"SBPCIUnInstall" = Creative PCI Audio Drivers
"Scanner" = Scanner
"Shareaza_is1" = Shareaza 2.4.0.0
"StatTrak for Volleyball" = All-Pro Software StatTrak for Volleyball 6.0
"TaxCut 2004" = TaxCut 2004
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"Update Rollup 1" = Update Rollup 1 for Windows 2000 SP4
"vol_toolbar" = Verizon Broadband Toolbar
"Winamp" = Winamp (remove only)
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMP7" = Windows Media Player system update (9 Series)
"XviD_is1" = XviD MPEG-4 Video Codec
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Mail AutoComplete" = Yahoo! Address AutoComplete

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/27/2009 11:35:56 AM | Computer Name = EZBASE | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 12/27/2009 11:49:28 AM | Computer Name = EZBASE | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 12/27/2009 12:14:50 PM | Computer Name = EZBASE | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 12/27/2009 12:17:04 PM | Computer Name = EZBASE | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 12/27/2009 5:04:49 PM | Computer Name = EZBASE | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 12/27/2009 5:06:27 PM | Computer Name = EZBASE | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 12/27/2009 5:19:59 PM | Computer Name = EZBASE | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 12/27/2009 5:21:52 PM | Computer Name = EZBASE | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 12/29/2009 8:21:27 AM | Computer Name = EZBASE | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 12/29/2009 9:07:18 AM | Computer Name = EZBASE | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

[ System Events ]
Error - 12/27/2009 5:22:46 PM | Computer Name = EZBASE | Source = Removable Storage Service | ID = 262161
Description = RSM cannot manage library PhysicalDrive3. It encountered an unspecified
error. This can be caused by a number of problems including, but not limited to,
database corruption, failure communicating with the library, or insufficient system
resources.

Error - 12/27/2009 5:34:11 PM | Computer Name = EZBASE | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{836F4EC0-1279-4ACA-B3DC-1F887CECCAA7}. The
backup browser is stopping.

Error - 12/29/2009 4:34:47 AM | Computer Name = EZBASE | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 12/29/2009 4:34:57 AM | Computer Name = EZBASE | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
GP-EVO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{836F4EC0-1279-4ACA-B3.
The
master browser is stopping or an election is being forced.

Error - 12/29/2009 4:35:47 AM | Computer Name = EZBASE | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 12/29/2009 8:04:18 AM | Computer Name = EZBASE | Source = Service Control Manager | ID = 7031
Description = The McAfee Personal Firewall Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Run the configured recovery program.

Error - 12/29/2009 8:05:59 AM | Computer Name = EZBASE | Source = Service Control Manager | ID = 7031
Description = The McAfee Personal Firewall Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
5000 milliseconds: Run the configured recovery program.

Error - 12/29/2009 8:06:04 AM | Computer Name = EZBASE | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Run
the configured recovery program) after the unexpected termination of the McAfee
Personal Firewall Service service, but this action failed with the following error:
%%1450

Error - 12/29/2009 9:02:07 AM | Computer Name = EZBASE | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.

Error - 12/29/2009 9:02:07 AM | Computer Name = EZBASE | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.


< End of report >

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:37 PM

Posted 29 December 2009 - 09:01 AM

Hello, your OTL.txt log is not complete.. Can you redo the scan again? or find the log and post the complete log? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

Back to Virus, Trojan, Spyware, and Malware Removal Assistance


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Assistance
  4. Privacy Policy
  5. Rules ·